520 likes | 769 Views
Privacy Issues in the Application of Biometrics. Marina Gavrilova. Outline. Introduction Privacy – from the philosophical concept to human rights The European Personal Data Directive The role of privacy-enhancing technologies Looking to the future
E N D
Privacy Issues in the Application of Biometrics Marina Gavrilova
Outline • Introduction • Privacy – from the philosophical concept to human rights • The European Personal Data Directive • The role of privacy-enhancing technologies • Looking to the future • Social and psychological context of the application of biometric methods • Conclusions
Introduction • Biometric methods of authentication offer a more secure link between a specific individual and a non-human entity. Numerous trials and deployments demonstrate the wide range of possible application: • restriction of access to physical spaces and electronic resources to those individuals who have been previously cleared; • denying the opportunity for potential fraudsters to assume multiple identities; • enforcing accountability for individuals undertaking electronic transactions; • matching facial images from CCTV cameras to databases of criminals
Introduction • Concerns appear to centre on the threats to the end user’s privacy. • For many, the widespread use of biometric technologies in films and the perception of these techniques as “perfect” have reawakened the fears of an all-knowing computer systems able to track every citizen and consumer, perhaps placing the reputation of the individual at risk. • Also, the future possibilities of the use of DNA data in tracking people, and in the linking of biometrics with parallel developments in other surveillance technologies.
Introduction • Both during the 2nd WW and under post-war Central and Eastern European governments had manually operated filing systems tracked dissident citizens and members of minorities. S • Such motions where first codified in the 1950 European Convention of Human Rights (ECHR). • Two decades later, with the commercialization of large mainframe computers, the first laws to protect “personal data” about individuals were drafted, based upon an internationally agreed framework but with a local interpretation.
Introduction • With the expansion of the European Union, the need for harmonization of these laws required a European-wide legal consensus. • The 1995 Personal Data Directive and its transposition into national laws offers the legislative underpinning to any discussion about the use of biometrics in modern systems in Europe. • However, its approach predated the age of the Internet, and its complexity rendered it opaque to the average person.
Introduction • Biometric technologies are almost unique as a security mechanism in the need for cooperation by the end user to ensure their correct operation. • Some user concerns can be addressed directly, for example by studies into any health and safety issues, although it is clear that attitudes may take time to change. • Those concerns that are less clearly articulated will require more extended studies.
Outline • Introduction • Privacy – from the philosophical concept to a human right • The European Personal Data Directive • The role of privacy-enhancing technologies • Looking to the future • Social and psychological context of the application of biometric methods • Conclusions
Privacy- from philosophical concept to a human right • The notion of individual privacy appears to be a modern phenomenon. • In less mobile societies with poor roads, few people would venture outside their immediate neighborhood and the arrival of fairs or itinerant travelers was subject to closely circumscribed laws. • In these societies, the daily lives of the ordinary people were led without much privacy. I.e., the strong Puritan tradition in the 17th century in England and the American colonies seemed to encourage a surveillance by one’s neighbors.
Privacy- from philosophical concept to a human right • Shapiro regards the partitioning of rooms in a household as the first step to a culture of privacy and individuality. • Next, in 18th and 19th century improvements in road quality and the creation of a canal and railway network (the latter going in hand with the first electronic communications – the telegraph). • The rapid urbanization of much Western Europe and parts of the USA completed the options for many citizens to move outside of their place of birth and schooling, to assert an individuality apart from their kinship groups. • The second half of the 19th century saw the introduction of the census and codification of laws on recording births, marriages, and deaths.
Privacy- from philosophical concept to a human right • 19th century was the time for the first use of biometric identities for tracking and recording criminals using file systems. • Initially this aimed to collect as much information about externally visible features and easily measurable dimensions, Bertillon’s anthropometry being the most celebrated scheme. This short-lived approach was superseded a few years later by the discovery of the remarkable individuality of fingerprints. • By the turn of 19th century, Scotland Yard had embarked on the use of the hugely successful Galton-Henry classification system and the fingerprint as a key forensic tool had arrived.
Privacy- from philosophical concept to a human right • With the questioning of the power of a state to affect all facets of the life of the citizen, one part of the personal privacy debate has started. The other aspect, that of giving individuals a right over the way the information about them is collected and used was a remain less pressing for another half century. • In 1950, the participating states to the Council of Europe articulated a response in Article 8 of the ECHR guaranteeing a right of privacy: • “Everyone has the right to respect for • his private and family life, his home and his correspondence. “ • The Convention offered individual redress against governments abusing their authority by an ultimate personal appeal to the European Court of Human Rights in Strasbourg.
Privacy- from philosophical concept to a human right • The increasing prosperity of the 50s and early 60s was accompanied by a belief in the benefits of technological progress and organizational efficiency. In particular, governments in Europe were attracted to the potential of computerization of records, such as social welfare payments. • But the climate of thought amongst Europeans changed. Although the events of ’68 were characterized as a rebellion by the youth of Europe, other currents of opinion were questioning the wisdom of concentrating power, and the information on which power is built without countervailing checks and balances.
Privacy- from philosophical concept to a human right • The world’s first data protection act, passed in the German state of Hessen in 1970 was directed at offering this check on the operations of a regional government, but as more countries recognized the need for such legislation, the scope widened to take in commercial use of personal data as well. • Increasingly, the limitations of national laws in a rapidly globalizing world led to calls for an international system for data protection, to protect against states with no laws or inadequate laws from becoming “data heavens” with no controls on the processing of data.
Privacy- from philosophical concept to a human right • Although these agreements were influential in determining the course of subsequent laws – such as the first UK Data Protection Act in 1984 – by 1990 it was clear to the European Commission that the lack of a common framework, under which personal information could be gathered, processed, stored, transmitted and disposed of securely, was likely to impede the commercial development of both existing and novel services.
Privacy- from philosophical concept to a human right • Over the course of the following 5 years, the Commission agreed the principles for an EU-wide directive of 1995. This required governments in each of the countries to transpose the directive into national law by 1998 (http://ec.europa.eu/justice_home/fsj/privacy/ ) • In spite of this recent agreement, there have already been calls to make changes in the light of experience in applying the framework directive.
Outline • Introduction • Privacy – from the philosophical concept to a human right • The European Personal Data Directive • The role of privacy-enhancing technologies • Looking to the future • Social and psychological context of the application of biometric methods • Conclusions
The European Personal Data Directive • This directive establishes 8 Principles of personal data protection which determine the legality of the processing of such data. Personal data must be: • Processed fairly and lawfully • Collected for specified and lawful purpose and not processed further in ways that are incompatible with these (the “finality” principle). • Adequate, relevant and not excessive in relation to the purposes for which they are collected or processed. • Accurate (and where necessary kept up to date).
The European Personal Data Directive • Not kept longer than is necessary for the stated purposes (that is in a form that permits identification of the data subjects). • Processed in accordance with data subject’s rights. • Secure (against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, using measures that have regard to the state of the art and costs of implementation, and ensuring that a level of security is maintained that is appropriate to the risks represented by the processing and the nature of the personal data to be protected). • May only be transferred to those countries that ensure an adequate level of protection for personal data.
Applying the directive and national laws to biometric systems • Although Data Protection Commissioners recognize that biometrics offers a challenge to the legal framework on personal data and privacy, to date only 3 have explicitly considered the ground rules for operation of biometric-enabled systems.
Applying the directive and national laws to biometric systems • More recently, CNIL, the French data protection commission, has undertaken a major study into the privacy implications of biometrics. • It found that there was a lack of reliable information about how biometric-enabled systems operate in practice and confirmed that, in general, technologists and data controllers were not aware of the rights of end users. • In view of the potential harm that could result to end users from systems not designed in accordance with data protection principles, CNIL has proposed a number of measures.
Applying the directive and national laws to biometric systems • In its 2001 annual report, CNIL categorized applications using biometrics into two broad groups: • There was no problem with systems where the template storage is under the end user’s control, e.g. stored on a card, a PC, or a cell phone in the possession of the user. • The second class, where the template is stored in a centralized database, is more complex. Where the biometric record is of a type that leaves no trace or is not easily captured without the cooperation of the end user (such as eye-based systems or those applying hand geometry devices), integrators can use these methods, provided that the usual data protection principles, such as finality and proportionality are observed. In contrast, centralized template storage using biometrics that leave a trace or can be easily obtained (such as systems with face, fingerprint, or DNA recognition) should only be applied in high security systems.
Applying the directive and national laws to biometric systems • The European Commission funded BIOVISION roadmap project to review the biometric context of the directive and national laws, and provide initial materials towards the definition of a code of conduct for applications making use of a biometric in a privacy-compliant manner. • A parllel activity is being undertaken by the UK government managed Biometric Working Group.
Biometric data as “personal data” • Perhaps the aspect of personal data protection law that has been debated most extensively is the question of application of the law to biometrics. To what extent is biometric data “personal data” within the meaning of the directive and the national laws? • The directive defines personal data to be “any information relating to an identifier or identifiable natural person”, making the distinction with legal entities such as companies. Furthermore, it amplifies the definition by stating that an identifiable person is one who can be identified directly or indirectly, I particular by reference to: • An identification number; or • To one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity
Biometric data as “personal data” • Possible personal data that relate to the implementation of biometric can include: • The image or record captured from the sensor at the initial enrollment. • Any transmitted form of the image or record between sensor and processing systems. • The processed data • The stored image or record or template • Any accompanying data collected at the time of enrollment • The image or record captured from the sensor during normal operation of the biometric • Any transmitted form of the image or record at verification or identification • The template obtained from the storage device. • Any accompanying data obtained at the time of verification or identification. • The result of matching process • Any updating of the template in response to the identification or verification.
Biometric data as “personal data” • Situations where biometric data is not treatable as personal data are likely to be relatively rare. • One case where data is unlikely to fall within this definition is for a biometric application where all of the following conditions are met: • The identity of a previously enrolled individual is only represented by a “one way” template with no possibility if reconstruction of the original record. • The template could also be generated by a sufficient number of other subjects in the population • The template is stored on a card (or token) held by the end user. • The comparison, at verification, of the output of the sensor with the template, is made on the card (or token) itself. • All images and records relating to the enrollment are securely disposed of at the time of enrollment.
Biometrics and sensitive data • Article 8 of the personal data directive lists the following special categories of data that demand specific additional attention: • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Trade union membership • Processing of data concerning health or sex life • In general, the subject should have given explicit consent to the processing of such data, although there are a number of exemptions from this requirement. Note that data relating to offences, criminal convictions or security measures may only be carried out under the control of an official authority.
Biometrics and sensitive data • Those aspects that might impact on the operation of biometric methods are racial or ethnic origin and data relating to health. It is inevitable that the initial photographic image captured by the camera in a face recognition system will have some indication of race.
Biometrics and sensitive data • Most biometric systems have been developed, validated and tested by organization in the USA and Europe. It is not inconceivable that the algorithms that are used operate preferentially for ethnic groups that are highly represented in those geographical areas; and that, for example, directed represented searches for templates of facial images relating to non-Caucasians could be successfully initiated – albeit with results outputted on a probabilistic basis.
Proportionality principle • A fundamental principle in European law is that of proportionality, which some writers maintain would rule out the use of biometric method, if the objective could be achieved in some other, less privacy-threatening way. • Jan Grijpink describes how a hand geometry device is likely to be acceptable for access to buildings critical for the operation of an organization, whereas access control by means of fingerprint biometric to a secondary school might be more difficult to justify.
First principle compliance – fair and lawful processing • Processing of personal data needs to be carried out in a fair and lawful manner. This includes the act of obtaining the biometric data in the first place. Convert collection of biometric data is not permitted unless it falls within one of the defined exemptions. Wherever possible, the subject’s consent should be sought, since that consent removes many of the problems for an agency deploying a biometric- enabled system.
4th principle compliance - accuracy • By their very nature, biometric systems could occasionally return a false accept and with it the possibility of an inaccurate record of activity against another individual. • Whether this is considered as a failing in accuracy or in security (the 7th principle), the system designer and implementer should take appropriate steps to ensure that the personal data of the individual whose identity has been assumed is not compromised.
7th principle compliance - security • Requires the controller (the person or agency) that determines the purposes and means of processing of the personal data) to implement appropriate technical and organizational measures to protect the personal data against: • Unlawful destruction or accidental loss; • Alteration; • Unauthorized disclosure or access; • And all other unlawful forms of processing.; • in particular where the transmission involves a network. If processors are different from controllers they must provide guarantees that the security measures are carried out. In addition, a legal contract must be in place between the controller and the processor. The measures must take account of the state of the art and assess the costs and risks involved.
8th principle compliance – transfer to third countries • Transfer of data to those countries that have an adequate level of protection is not allowed except under specific conditions (Article 25 of the Directive)
Article 8 of the European Human Rights Convention • Everyone has the right to respect for his private and family life, his home and his correspondence. • There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being.
Article 8 of the European Human Rights Convention • Wadham and Mountfield comment that the second test of accordance with the law requires: • The need for a specific legal rule to authorize this interference • Adequacy of access to the specific law by an individual • The law must be sufficiently precisely formulated to allow the individual to foresee the circumstances under which the law could be applied. • Challenges to the legality of biometric schemes based upon this right could arise in government applications, where the personal data directive offers exemptions, e.g. in national identity schemes, for security systems in critical infrastructures, in the criminal justice system and in the provision of medical services.
Outline • Introduction • Privacy – from the philosophical concept to a human right • The European Personal Data Directive • The role of privacy-enhancing technologies • Looking to the future • Social and psychological context of the application of biometric methods • Conclusions
The role of privacy-enhancing technologies • Many innovative services will use personal data in order to improve customer experience as well as providing valuable feedback to the service provider. • The European Commission recognized the benefits of such innovation, but was also concerned that consumers might not appreciate the significance of agreeing to such reuse of personal data. • It has promoted Privacy-Enhancing Technologies (PETs) that would provide a measure of protection. Their studies distinguished 2 types of PET: • Where the design of biometric-enabled system is tailored to be privacy-respecting using the best available technologies. • Where measures are offered to the end users individually to enable them to protect their privacy.
The role of privacy-enhancing technologies • Biometric devices could be designed in accordance with PET principles (now there is one system only). • For biometric enabled systems to be designed for privacy and security, the customer for the deployment and the customer’s system designers need to consider such requirements from the inception of a project. • Example of the first type: it stores the template only on the card held by the user.
Outline • Introduction • Privacy – from the philosophical concept to a human right • The European Personal Data Directive • The role of privacy-enhancing technologies • Looking to the future • Social and psychological context of the application of biometric methods • Conclusions
Looking to the future • Countries in the EU have chosen to transpose the Personal Data Directive in different ways, thereby adding to the confusion that the harmonization of laws was meant to address. • Some states, e.g. UK, Netherlands, decided in general to follow the wording of the directive, applying it to both the public and private sectors, clearly identifying the exemptions for government activities in the areas of national security, criminal justice, health etc. • Germany has delineated its national law into two sections that deal with private and public applications separately. • The Irish bill amends the pre-existing legislation on a cause-by-clause basis in order to conform to the 1995 directive. • The detail in Swedish national law makes explicit the right to revoke at any time a previously given consent for processing of personal data if they are of the sensitive class or if they are to be transferred to certain third countries.
Looking to the future • Among the possibilities that are under consideration are: • A statement of purpose of installation, with rationale for use of biometric over conventional means of authentication. • A maximum time-scale within which controller will respond to any questions. • A statement in respect of ”opt-in” or “opt-out” opportunities for end uses together with any rights afforded to the end users in respect of all personal data held on them. • Stated retention periods of personal data. • Any accesses permitted for third parties, including those permitted for lawful authorities. • Any Privacy Impact Assessment that may have been made prior to deployment • Specification of procedures to ensure secure disposal of the personal data in the event of withdrawal of the system. • Details of the external audit of the system and whether this will be available to the public or end users. • Review procedures and dates for re-examination of the operation of the system.
Outline • Introduction • Privacy – from the philosophical concept to a human right • The European Personal Data Directive • The role of privacy-enhancing technologies • Looking to the future • Social and psychological context of the application of biometric methods • Conclusions
Social and Psychological Context of the Application of Biometric Methods • Many individuals are fearful of the introduction of biometrics. Questionnaire studies show wide differences in the response to proposals such as the replacement of PIN with a fingerprint or the use of an eye identification method.
Social and Psychological Context of the Application of Biometric Methods • Some components of the fear of biometrics were identified by Simon Davies in 1994. Since then, many other commentators have added to the list. • The de-humanization of people by their reduction to bytes on a computer. • The high integrity of identification reverses the “natural” relationship of government serving citizens and society. • Fear of society being increasingly driven by a technocracy, rather than a democratically elected government. • A system that would entrench fraud and criminality through technologically secure systems. • The methods are the mechanism foretold in religious prophecies.
Social and Psychological Context of the Application of Biometric Methods • The impact of Hollywood’s association of biometric methods with spies, advanced military hardware, and science fiction may have increased these concerns, portraying these as perfect technologies in the service of powerful organizations. • The first stage in addressing these concerns is to gather these issues from all sections of the target population and to organize them in ways that allow further investigatiion.
Social and Psychological Context of the Application of Biometric Methods • Victoria Belotti has developed a model based upon the need of users to have feedback on, and then exert control over, four elements in complex environments: • Capture of personal information into the system • What happens once the information is in the system • Who and what processes will make use of it • For what purpose they will use that personal information. • Further research by Anne Adams has centered even more on the end user’s perspective on the transfer of personal information to organizations.
Social and Psychological Context of the Application of Biometric Methods • Further research by Anne Adams has centered even more on the end user’s perspective on the transfer of personal information to organizations. Here the end user has three principal concerns: • That the trust she places in the receiver of the personal data is not misplaced. • That the risk-benefit analysis she makes of the usage to which that data is put is correctly assessed. • That her judgment as to the sensitivity of the information is correctly made.
Social and Psychological Context of the Application of Biometric Methods • One approach to ensuring that such issues are considered during the system design is to carry out a Privacy Impact Assessment at an early stage of process (i.e. requirements capture stage). • Innovative trailing of new technologies that balance the technical and human aspects, has been under way for many years. Predominantly in Scandinavian countries. • Future biometric-enabled systems will have a higher likelihood of success if they take account of such approaches.
Outline • Introduction • Privacy – from the philosophical concept to a human right • The European Personal Data Directive • The role of privacy-enhancing technologies • Looking to the future • Social and psychological context of the application of biometric methods • Conclusions